PT-2021-14381 · Synapse+1 · Synapse+1

Clokep

Published

2021-02-24

Updated

2022-10-24

CVE-2021-21274

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: Synapse versions prior to 1.25.0

Description: A malicious homeserver could redirect requests to their .well-known file to a large file, leading to a denial of service attack where homeservers consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server that accepts federation requests from untrusted servers.

Recommendations: For Synapse versions prior to 1.25.0, update to version 1.25.0 to resolve the issue. As a temporary workaround, consider using the federation domain whitelist setting to restrict the homeservers communicated with over federation.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALT-PU-2021-1385

CVE-2021-21274

GHSA-2HWX-MJRM-V3G8

PYSEC-2021-132

Affected Products

Alt Linux

Synapse

PT-2021-14381 · Synapse+1 · Synapse+1

CVE-2021-21274

Weakness Enumeration

Related Identifiers

Affected Products

References · 19